@astrasyncai/verification-gateway 1.0.0

package/dist/adapters/nextjs.js

@@ -0,0 +1,624 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/adapters/nextjs.ts
+var nextjs_exports = {};
+__export(nextjs_exports, {
+  createMatcherConfig: () => createMatcherConfig,
+  createMiddleware: () => createMiddleware
+});
+module.exports = __toCommonJS(nextjs_exports);
+
+// src/access-levels.ts
+var ACCESS_LEVEL_HIERARCHY = {
+  none: 0,
+  guidance: 1,
+  "read-only": 2,
+  standard: 3,
+  full: 4,
+  internal: 5
+};
+var DEFAULT_TRUST_THRESHOLDS = {
+  none: 0,
+  guidance: 0,
+  "read-only": 20,
+  standard: 40,
+  full: 70,
+  internal: 0
+  // Internal is based on org membership, not score
+};
+function getTrustLevel(score) {
+  if (score >= 80) return "PLATINUM";
+  if (score >= 60) return "GOLD";
+  if (score >= 40) return "SILVER";
+  return "BRONZE";
+}
+function hasMinimumAccess(actual, required) {
+  return ACCESS_LEVEL_HIERARCHY[actual] >= ACCESS_LEVEL_HIERARCHY[required];
+}
+function getAccessLevelForScore(trustScore, thresholds = DEFAULT_TRUST_THRESHOLDS) {
+  if (trustScore >= thresholds.full) return "full";
+  if (trustScore >= thresholds.standard) return "standard";
+  if (trustScore >= thresholds["read-only"]) return "read-only";
+  return "guidance";
+}
+function determineAccessLevel(verified, trustScore, isOrgMember, customThresholds) {
+  if (!verified) {
+    return "guidance";
+  }
+  if (isOrgMember) {
+    return "internal";
+  }
+  const thresholds = {
+    ...DEFAULT_TRUST_THRESHOLDS,
+    ...customThresholds
+  };
+  return getAccessLevelForScore(trustScore, thresholds);
+}
+
+// src/verify.ts
+var DEFAULT_CONFIG = {
+  apiBaseUrl: "https://api.astrasync.ai",
+  defaultAccessLevel: "guidance",
+  minTrustScore: 40,
+  minTrustScoreForFull: 70,
+  cacheTtl: 300,
+  // 5 minutes
+  debug: false
+};
+var verificationCache = /* @__PURE__ */ new Map();
+function getCacheKey(credentials) {
+  return `${credentials.astraId || ""}-${credentials.apiKey || ""}-${credentials.jwt || ""}`;
+}
+function getCachedResult(credentials) {
+  const key = getCacheKey(credentials);
+  const cached = verificationCache.get(key);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.result;
+  }
+  if (cached) {
+    verificationCache.delete(key);
+  }
+  return null;
+}
+function cacheResult(credentials, result, ttlSeconds) {
+  const key = getCacheKey(credentials);
+  verificationCache.set(key, {
+    result,
+    expiresAt: Date.now() + ttlSeconds * 1e3
+  });
+}
+function hasCredentials(credentials) {
+  return !!(credentials.astraId || credentials.apiKey || credentials.jwt);
+}
+function createGuidanceResponse(config, reason) {
+  const guidance = {
+    message: "This service verifies AI agents before granting access. Please register your agent with AstraSync.",
+    registrationUrl: `${config.apiBaseUrl.replace("/api", "")}/register`,
+    documentationUrl: `${config.apiBaseUrl.replace("/api", "")}/docs/agent-access`,
+    steps: [
+      "Register for an AstraSync account",
+      "Create and register your agent",
+      "Add your ASTRA-ID to request headers",
+      "Retry your request"
+    ]
+  };
+  return {
+    verified: false,
+    accessLevel: "guidance",
+    guidance,
+    denialReasons: reason ? [reason] : ["No valid agent credentials provided"],
+    verifiedAt: /* @__PURE__ */ new Date()
+  };
+}
+async function callVerifyAccessAPI(config, request) {
+  const { credentials, ...requestData } = request;
+  const body = {
+    agentId: credentials.astraId,
+    purpose: requestData.purpose || "general"
+  };
+  if (requestData.action) body.action = requestData.action;
+  if (requestData.resourceType) body.resourceType = requestData.resourceType;
+  if (requestData.resource) body.resource = requestData.resource;
+  if (requestData.jurisdiction) body.jurisdiction = requestData.jurisdiction;
+  if (requestData.transactionValue) body.transactionValue = requestData.transactionValue;
+  if (requestData.currency) body.currency = requestData.currency;
+  if (requestData.isSubAgentRequest) body.isSubAgentRequest = requestData.isSubAgentRequest;
+  if (requestData.parentAgentId) body.parentAgentId = requestData.parentAgentId;
+  if (requestData.subAgentDepth !== void 0) body.subAgentDepth = requestData.subAgentDepth;
+  if (requestData.enableRuntimeChallenge) body.enableRuntimeChallenge = requestData.enableRuntimeChallenge;
+  if (requestData.createSession) body.createSession = requestData.createSession;
+  if (requestData.counterpartyType) body.counterpartyType = requestData.counterpartyType;
+  if (requestData.runtimeChallengeOptions) body.runtimeChallengeOptions = requestData.runtimeChallengeOptions;
+  const headers = {
+    "Content-Type": "application/json",
+    ...config.customHeaders
+  };
+  if (config.apiKey) {
+    headers["X-API-Key"] = config.apiKey;
+  }
+  if (credentials.authorizationHeader) {
+    headers["Authorization"] = credentials.authorizationHeader;
+  }
+  try {
+    const response = await fetch(`${config.apiBaseUrl}/agents/verify-access`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body)
+    });
+    const data = await response.json();
+    if (!response.ok) {
+      return {
+        success: false,
+        error: data.message || data.error || `API returned ${response.status}`
+      };
+    }
+    return data;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    return {
+      success: false,
+      error: `Failed to call verify-access API: ${message}`
+    };
+  }
+}
+async function verify(config, request) {
+  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
+  if (!hasCredentials(request.credentials)) {
+    return createGuidanceResponse(mergedConfig, "No agent credentials provided");
+  }
+  if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0) {
+    const cached = getCachedResult(request.credentials);
+    if (cached) {
+      if (mergedConfig.debug) {
+        console.log("[VerificationGateway] Returning cached result");
+      }
+      return cached;
+    }
+  }
+  if (mergedConfig.debug) {
+    console.log("[VerificationGateway] Calling verify-access API");
+  }
+  const apiResponse = await callVerifyAccessAPI(mergedConfig, request);
+  if (!apiResponse.success) {
+    return createGuidanceResponse(mergedConfig, apiResponse.error);
+  }
+  if (!apiResponse.access?.allowed) {
+    const result2 = {
+      verified: false,
+      accessLevel: "guidance",
+      denialReasons: apiResponse.access?.reason ? [apiResponse.access.reason] : ["Access denied"],
+      requiresStepUp: apiResponse.access?.requiresStepUp,
+      requiresApproval: apiResponse.access?.requiresApproval,
+      guidance: {
+        message: apiResponse.access?.reason || "Access denied by PDLSS policy",
+        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
+        documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/pdlss`
+      },
+      verifiedAt: /* @__PURE__ */ new Date()
+    };
+    return result2;
+  }
+  const agent = apiResponse.agent ? {
+    astraId: apiResponse.agent.astraId,
+    name: apiResponse.agent.name,
+    trustScore: apiResponse.agent.trustScore,
+    trustLevel: getTrustLevel(apiResponse.agent.trustScore),
+    blockchainVerified: apiResponse.agent.blockchainStatus === "verified",
+    status: apiResponse.agent.agentStatus
+  } : void 0;
+  const developer = apiResponse.developer ? {
+    astradId: apiResponse.developer.kyaOwnerId,
+    name: apiResponse.developer.fullName,
+    trustScore: apiResponse.developer.trustScore || 0,
+    verified: apiResponse.developer.identityVerified
+  } : void 0;
+  const organization = apiResponse.organization ? {
+    name: apiResponse.organization.name,
+    verified: apiResponse.organization.verified,
+    trustScore: apiResponse.organization.trustScore
+  } : void 0;
+  const pdlss = apiResponse.access?.pdlss ? {
+    purposeAllowed: apiResponse.access.pdlss.purposeAllowed,
+    withinDuration: apiResponse.access.pdlss.withinDuration,
+    withinLimits: apiResponse.access.pdlss.withinLimits,
+    scopeAllowed: apiResponse.access.pdlss.scopeAllowed,
+    selfInstantiationAllowed: apiResponse.access.pdlss.selfInstantiationAllowed,
+    appliedPolicy: apiResponse.access.appliedPolicy
+  } : void 0;
+  const trustScore = agent?.trustScore || 0;
+  const isOrgMember = false;
+  const accessLevel = determineAccessLevel(
+    true,
+    trustScore,
+    isOrgMember,
+    {
+      "read-only": 20,
+      standard: mergedConfig.minTrustScore || 40,
+      full: mergedConfig.minTrustScoreForFull || 70
+    }
+  );
+  const result = {
+    verified: true,
+    accessLevel,
+    agent,
+    developer,
+    organization,
+    pdlss,
+    requiresStepUp: apiResponse.access?.requiresStepUp,
+    requiresApproval: apiResponse.access?.requiresApproval,
+    verifiedAt: /* @__PURE__ */ new Date(),
+    cacheTtl: mergedConfig.cacheTtl,
+    // Handshake Protocol v10 enhanced fields (present when backend returns them)
+    sessionId: apiResponse.sessionId,
+    runtimeChallenge: apiResponse.runtimeChallenge,
+    tokenGuidance: apiResponse.tokenGuidance,
+    recommendation: apiResponse.recommendation,
+    recommendationReasons: apiResponse.recommendationReasons
+  };
+  if (result.recommendation === "deny") {
+    result.verified = false;
+    result.accessLevel = "none";
+    result.denialReasons = result.recommendationReasons || ["Access denied by AstraSync recommendation"];
+    if (result.runtimeChallenge) {
+      result.guidance = {
+        message: `Verification failed: ${result.runtimeChallenge.reason || "runtime challenge failed"}`,
+        registrationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/register`,
+        documentationUrl: `${mergedConfig.apiBaseUrl?.replace("/api", "")}/docs/runtime-challenge`
+      };
+    }
+  } else if (result.recommendation === "step_up_required") {
+    result.requiresStepUp = true;
+    if (ACCESS_LEVEL_HIERARCHY[result.accessLevel] > ACCESS_LEVEL_HIERARCHY["read-only"]) {
+      result.accessLevel = "read-only";
+    }
+    result.denialReasons = result.recommendationReasons || ["Step-up verification required"];
+  }
+  if (mergedConfig.cacheTtl && mergedConfig.cacheTtl > 0 && result.recommendation !== "deny") {
+    cacheResult(request.credentials, result, mergedConfig.cacheTtl);
+  }
+  return result;
+}
+
+// src/adapters/nextjs.ts
+function extractCredentialsFromNextRequest(request) {
+  const credentials = {};
+  const astraId = request.headers.get("x-astra-id") || request.headers.get("X-Astra-Id");
+  if (astraId) {
+    credentials.astraId = astraId;
+  }
+  const apiKey = request.headers.get("x-api-key") || request.headers.get("X-Api-Key");
+  if (apiKey) {
+    credentials.apiKey = apiKey;
+  }
+  const authHeader = request.headers.get("authorization");
+  if (authHeader) {
+    credentials.authorizationHeader = authHeader;
+    if (authHeader.startsWith("Bearer ")) {
+      credentials.jwt = authHeader.slice(7);
+    }
+  }
+  const url = new URL(request.url);
+  const astraIdParam = url.searchParams.get("astraId");
+  const apiKeyParam = url.searchParams.get("apiKey");
+  if (astraIdParam && !credentials.astraId) {
+    credentials.astraId = astraIdParam;
+  }
+  if (apiKeyParam && !credentials.apiKey) {
+    credentials.apiKey = apiKeyParam;
+  }
+  return credentials;
+}
+function matchRoute(pattern, path) {
+  const regexPattern = pattern.replace(/\*/g, ".*").replace(/\//g, "\\/");
+  const regex = new RegExp(`^${regexPattern}$`);
+  return regex.test(path);
+}
+function findRouteConfig(routes, path, method) {
+  return routes.find((route) => {
+    const methodMatches = route.method === "*" || route.method.toUpperCase() === method.toUpperCase();
+    const pathMatches = matchRoute(route.pattern, path);
+    return methodMatches && pathMatches;
+  });
+}
+function inferPurpose(method) {
+  switch (method.toUpperCase()) {
+    case "GET":
+      return "read";
+    case "POST":
+      return "create";
+    case "PUT":
+    case "PATCH":
+      return "update";
+    case "DELETE":
+      return "delete";
+    default:
+      return "general";
+  }
+}
+function generateCommerceShieldHtml(result, options) {
+  const title = options.commerceShield?.title || "AstraSync Agent Verification";
+  const message = options.commerceShield?.message || result.guidance?.message || "This site verifies AI agents before granting access. We noticed you're visiting without AstraSync credentials.";
+  const registrationUrl = result.guidance?.registrationUrl || "https://astrasync.ai/register";
+  const docsUrl = result.guidance?.documentationUrl || "https://astrasync.ai/docs/agent-access";
+  const allowGuest = options.commerceShield?.allowGuestAccess ?? true;
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${title}</title>
+  <style>
+    * {
+      box-sizing: border-box;
+      margin: 0;
+      padding: 0;
+    }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
+      background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 20px;
+    }
+    .shield-container {
+      background: rgba(255, 255, 255, 0.95);
+      border-radius: 16px;
+      box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.5);
+      max-width: 480px;
+      width: 100%;
+      padding: 40px;
+      text-align: center;
+    }
+    .shield-icon {
+      font-size: 48px;
+      margin-bottom: 20px;
+    }
+    .shield-title {
+      font-size: 24px;
+      font-weight: 700;
+      color: #1a1a2e;
+      margin-bottom: 16px;
+    }
+    .shield-message {
+      color: #4a5568;
+      line-height: 1.6;
+      margin-bottom: 24px;
+    }
+    .shield-steps {
+      text-align: left;
+      background: #f7fafc;
+      border-radius: 8px;
+      padding: 20px;
+      margin-bottom: 24px;
+    }
+    .shield-steps h3 {
+      font-size: 14px;
+      font-weight: 600;
+      color: #2d3748;
+      margin-bottom: 12px;
+    }
+    .shield-steps ol {
+      padding-left: 20px;
+      color: #4a5568;
+    }
+    .shield-steps li {
+      margin-bottom: 8px;
+    }
+    .shield-buttons {
+      display: flex;
+      flex-direction: column;
+      gap: 12px;
+    }
+    .btn {
+      display: inline-block;
+      padding: 14px 24px;
+      border-radius: 8px;
+      font-weight: 600;
+      text-decoration: none;
+      transition: all 0.2s;
+      cursor: pointer;
+      border: none;
+      font-size: 16px;
+    }
+    .btn-primary {
+      background: linear-gradient(135deg, #6366f1 0%, #4f46e5 100%);
+      color: white;
+    }
+    .btn-primary:hover {
+      transform: translateY(-2px);
+      box-shadow: 0 4px 12px rgba(99, 102, 241, 0.4);
+    }
+    .btn-secondary {
+      background: #e2e8f0;
+      color: #4a5568;
+    }
+    .btn-secondary:hover {
+      background: #cbd5e0;
+    }
+    .shield-footer {
+      margin-top: 24px;
+      font-size: 14px;
+      color: #718096;
+    }
+    .shield-footer a {
+      color: #6366f1;
+      text-decoration: none;
+    }
+    .shield-footer a:hover {
+      text-decoration: underline;
+    }
+  </style>
+</head>
+<body>
+  <div class="shield-container">
+    <div class="shield-icon">\u{1F6E1}\uFE0F</div>
+    <h1 class="shield-title">${title}</h1>
+    <p class="shield-message">${message}</p>
+
+    <div class="shield-steps">
+      <h3>To get verified access:</h3>
+      <ol>
+        <li>Register at <a href="${registrationUrl}">astrasync.ai/register</a></li>
+        <li>Create and register your agent</li>
+        <li>Add your ASTRA-ID to request headers</li>
+        <li>Refresh this page</li>
+      </ol>
+    </div>
+
+    <div class="shield-buttons">
+      <a href="${registrationUrl}" class="btn btn-primary">Register Now</a>
+      ${allowGuest ? '<button onclick="window.location.reload()" class="btn btn-secondary">Continue as Guest (Limited)</button>' : ""}
+    </div>
+
+    <p class="shield-footer">
+      Learn more: <a href="${docsUrl}">Agent Access Documentation</a>
+    </p>
+  </div>
+</body>
+</html>
+  `.trim();
+}
+function createMiddleware(options) {
+  const {
+    routes = [],
+    skipPaths = [],
+    showCommerceShield = true,
+    ...config
+  } = options;
+  return async function middleware(request) {
+    const { NextResponse } = await import("next/server");
+    const pathname = request.nextUrl.pathname;
+    const shouldSkip = skipPaths.some((pattern) => matchRoute(pattern, pathname));
+    if (shouldSkip) {
+      return NextResponse.next();
+    }
+    const routeConfig = findRouteConfig(routes, pathname, request.method);
+    if (!routeConfig) {
+      return NextResponse.next();
+    }
+    if (routeConfig.minAccessLevel === "none") {
+      return NextResponse.next();
+    }
+    const credentials = extractCredentialsFromNextRequest(request);
+    if (!hasCredentials(credentials) && routeConfig.minAccessLevel !== "guidance") {
+      const result2 = {
+        verified: false,
+        accessLevel: "none",
+        denialReasons: ["No agent credentials provided"],
+        guidance: {
+          message: "This page requires agent verification.",
+          registrationUrl: `${config.apiBaseUrl?.replace("/api", "")}/register`,
+          documentationUrl: `${config.apiBaseUrl?.replace("/api", "")}/docs/agent-access`
+        },
+        verifiedAt: /* @__PURE__ */ new Date()
+      };
+      if (pathname.startsWith("/api/")) {
+        return NextResponse.json(
+          {
+            success: false,
+            error: {
+              code: "UNAUTHORIZED",
+              message: "No agent credentials provided",
+              guidance: result2.guidance
+            }
+          },
+          { status: 401 }
+        );
+      }
+      if (showCommerceShield) {
+        return new NextResponse(generateCommerceShieldHtml(result2, options), {
+          status: 200,
+          headers: {
+            "Content-Type": "text/html",
+            "X-AstraSync-Verification": "commerce-shield"
+          }
+        });
+      }
+      const registerUrl = result2.guidance?.registrationUrl || "/register";
+      return NextResponse.redirect(new URL(registerUrl, request.url));
+    }
+    const purpose = request.headers.get("x-purpose") || inferPurpose(request.method);
+    const result = await verify(config, {
+      credentials,
+      purpose,
+      action: request.method.toLowerCase(),
+      resource: pathname,
+      clientIp: request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || void 0,
+      userAgent: request.headers.get("user-agent") || void 0
+    });
+    if (!hasMinimumAccess(result.accessLevel, routeConfig.minAccessLevel)) {
+      if (pathname.startsWith("/api/")) {
+        return NextResponse.json(
+          {
+            success: false,
+            error: {
+              code: result.verified ? "INSUFFICIENT_ACCESS" : "UNAUTHORIZED",
+              message: result.denialReasons?.[0] || "Access denied",
+              accessLevel: result.accessLevel,
+              required: routeConfig.minAccessLevel,
+              guidance: result.guidance
+            }
+          },
+          { status: result.verified ? 403 : 401 }
+        );
+      }
+      if (showCommerceShield) {
+        return new NextResponse(generateCommerceShieldHtml(result, options), {
+          status: 200,
+          headers: {
+            "Content-Type": "text/html",
+            "X-AstraSync-Verification": "commerce-shield"
+          }
+        });
+      }
+      return NextResponse.redirect(new URL("/unauthorized", request.url));
+    }
+    const response = NextResponse.next();
+    response.headers.set("X-AstraSync-Verified", result.verified.toString());
+    response.headers.set("X-AstraSync-Access-Level", result.accessLevel);
+    if (result.agent) {
+      response.headers.set("X-AstraSync-Agent-Id", result.agent.astraId);
+      response.headers.set("X-AstraSync-Trust-Score", result.agent.trustScore.toString());
+    }
+    return response;
+  };
+}
+function createMatcherConfig(paths) {
+  return { matcher: paths };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createMatcherConfig,
+  createMiddleware
+});
+//# sourceMappingURL=nextjs.js.map